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Abstract 

The paper presents a selection of recently developed and/or used techniques for equivalence- 
checking on infinite-state systems, and an up-to-date overview of existing results (as of 
September 2004). 

1 Introduction 

A reactive system is a system which continuously interacts with its environment 
and whose behavior is strongly influenced by this interaction. Reactive systems usu- 
ally consist of several asynchronous (but communicating) processes which run in 
parallel. This asynchrony, together with unpredictable actions of the environment, 
contribute to a high degree of non-determinism. Another characteristic feature is 
divergence; a reactive system is often supposed to run forever, though its processes 
can be dynamically created and terminated. Since reactive systems control poten- 
tially dangerous devices like power plants, airports, weapon systems, etc., there is 
a strong need for rigorous methods which allow to prove correctness (or at least 
safety) of such systems. 

Two popular approaches to formal verification of reactive systems are model- 
checking and equivalence-checking. In the model-checking approach, desired prop- 
erties of the verified implementation are defined as a formula of a suitable modal 
logic, and then it is shown that (a formal model of) the implementation satisfies 
the formula. In the equivalence-checking approach, one constructs a formal model 
of the intended behavior of the verified system (called specification) and then it is 
shown that the implementation is equivalent to the specification. 

* Supported by the research center Institute for Theoretical Computer Science (ITI), project 
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A principal difficulty of automated formal verification is that reactive systems 
tend to have a very large state space. There are various strategies for tackling 
this problem. For example, the technique of symbolic model-checking introduced 
in IjBurch et al. 1992)) uses a symbolic state-space representation based on OBDD's 
(ordered binary decision diagrams). This method was successfully used for for- 
mal verification of hardware circuits. Partial-order reduction (as described, e.g., in 
IjClark et al. 1999)) ) enables a practical verification of concurrent software based on 
model-checking with the logic LTL. Though these methods handle systems with 
large state spaces, they are still limited to finite-state systems. However, many sys- 
tems are (or should be seen as) unbounded, i.e., having a potentially infinite state 
space. For example, unbounded data types such as counters, stacks, channels, or 
queues, require an infinite number of states. Parametrized systems (e.g., N philoso- 
phers, N / M readers/writers, etc.) should also be seen as infinite-state if we want to 
show their correctness for every choice of parameters. Another example are systems 
with a dynamically evolving structure (e.g., mobile networks). 

Model-checking and equivalence-checking on infinite-state systems is a popular 
research field which has been attracting attention for almost two decades. Conse- 
quently, the collection of achieved results is large and diverse today. There have been 
several surveys presenting various subficlds of this research area, like IjMoller 19961 
|Esparza 19971 I.Tancar and Moller 19991 |Bouajjani 2001] ISrba 2002a)) . including a 
major Handbook chapter (Bur kart et al. 1999)) . This paper is intended as a con- 
tribution to the collection of surveys, and its aim is twofold. First, it presents a 
selection of some recently developed techniques for equivalence-checking on infinite- 
state systems which have not yet been fully covered in the existing surveys. The 
emphasis is on explaining the core of underlying principles rather than presenting 
full proofs of particular results. Second, the paper gives an up-to-date overview of 
existing results for equivalence-checking on infinite-state systems (as of September 
2004). 

The style of presentation adopted in this paper reflects the authors' intention 
to explain "proof techniques" rather than particular proofs. Ideally, this would be 
achieved by first formulating a given technique "abstractly" , and then showing how 
it applies in concrete situations. In most cases, we provide a detailed explanation 
just for the "abstract" part, and then indicate how and where the principle can 
be applied without going much into details (just pointing to the relevant litera- 
ture). When we feel that the abstract formulation is too vague, the functionality is 
demonstrated on concrete examples. 

The paper is organized as follows. Section |21 contains basic definitions. Sec- 
tion 01 is devoted to the presentation of selected proof techniques. In particular, 
Section V\. II presents general results about the relationship between simulation pre- 
order/equivalence and bisimulation equivalence. Subsection lH . 1 . ll starts by a simple 
observation about a specific power of the defender in simulation games. This ob- 
servation is then used in a general reduction scheme which allows to (efficiently) 
reduce bisimilarity problems to their simulation counterparts. In Subsection 13 . 1 . 21 
it is shown that there is also a generic "reduction" of the simulation equivalence 
problem to the bisimilarity problem. Although this "reduction" is rarely effective 
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(due to fundamental reasons), it reveals a simple and generic relationship between 
simulation equivalence and bisimilarity. 

Section 13.21 is devoted to selected techniques which have recently been used to 
establish new decidability results and upper complexity bounds for equivalence- 
checking problems. In Subsection 13.2.11 the technique of bisimulation bases is re- 
called (in a somewhat "abstracted" form) and then it is shown how this technique 
applies to checking weak bisimilarity between infinite and finite-state systems. In 
Subsection 13. 2. 21 the problem of effective constructibility of characteristic formulae 
which express the equivalence with a given finite-state system is examined. First, 
well-known results about the constructibility of characteristic formulae in the modal 
/i-calculus are recalled. Then, it is shown how to construct characteristic formulae 
w.r.t. (strong and weak) bisimilarity in the simpler logic EF. In Subsection 13.2.31 
the so-called DD-functions are presented. This is a recently discovered "tool" used 
for several decidability and complexity results. 

In Section 13.31 we discuss techniques for undecidability and lower complexity 
bounds. A common principle which is used in almost all undecidability and hard- 
ness proofs for bisimilarity- and simulation-checking problems is the ability of the 
defender to "force" the attacker to perform a specific transition. The variant for 
simulation-checking is, in fact, discussed already in Subsection 13 .1.1 1 a similar prin- 
ciple exists also for bisimilarity. Since the abstract formulation of the two techniques 
does not say much about their applicability, we demonstrate them on selected ex- 
amples. 

Section 0] contains an up-to-date overview of existing results. 

2 Basic Definitions 

The set of all non-negative integers 0, 1, 2, . . . is denoted by IN. The symbol u> is 
used to denote an infinite amount. 

The first step of formal verification is to create a formal model of the verified 
system. The low-level semantics of such a model is given by its associated transition 
system; in our framework we assume that transitions (between states) are labelled 
by actions taken from a finite set. 

Definition 1 

A transition system is a triple T = (5, Act, — >) where S is a set of states, Act is a 
finite set of actions, and — > C SxActxS is a transition relation. 

Processes are formally understood as states in transition systems; from now on we 
do not distinguish between "states" and "processes". The dynamics of processes, 
i.e., possible computational steps, are defined by the transition relation. We write 
sA( instead of (s, a, i) £ — >, and say that t is an a-successor of s. This notation 
is extended to finite strings over Act in the natural way. A state t is reachable from 
a state s, written s — >* t, if there is w £ Act* such that s — > t. A transition system 
is image-finite if each state has only finitely many a-successors for every a £ Act. 
The branching degree of a transition system T, denoted d{T), is the least k £ IN 
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Fig. 1. Processes s, t, and u. 

such that every state of T has at most k successors (if there is no such k then 
d{T) = oo). 

2.1 Behavioral Equivalences 

The notion of process equivalence can be formalized in many different ways Ijvan Glabbeek 1999 
Ivan Glabbeek 1993JI . A straightforward idea is to employ the classical notion of lan- 
guage equivalence from automata theory (here we consider all states as accepting): 

Definition 2 

Let T = (S, Act, — >) be a transition system, s G S. We say that w G Act* is a trace 
of s iff s A s' for some s'. Let tr(s) be the set of all traces of s. We write s \— tr t iff 
tr(s) C tr(t). Moreover, we say that s and t are trace equivalent, written s — tr t, 
iStr(s) = tr(t). 

In concurrency theory, trace equivalence is usually considered as being too coarse. 
For example, the processes s and t of Fig. ^ are trace equivalent but their behavior 
is different — s can do either b or c (but not both) after performing a, while t can 
always choose between b and c after a. A finer level of "semantical sameness" of 
two processes can be defined by formalizing the ability of one process to "mimic" 
(or simulate) computational steps of another process. 

Definition 3 

Let T = (S, Act, — >) be a transition system, s,t 6 S. A binary relation R over S is 
a simulation iff whenever (s, t) £ R then for every a G Act 

if s A s' then £ A f' for some £' such that (s', £') 6 i?. 

A process s is simulated by a process £, written s C sm i, iff there is a simulation 
such that (s, t) £ i?. Note that the relation C sm is a preorder. We say that s and 
i are simulation equivalent, written s = sm t, iff s C sm t and £ s. 

For example, for processes of Fig. ^ we have that s Q sm t, t % sm s, and t = sm u. 

Simulation preorder and equivalence can also be defined in terms of games Stirling 20011 
IThomas 1 993). Ima gine there are two tokens put on states s and t. Two players, 
the attacker and the defender, start to play a simulation game which consists of 
(possibly infinite) sequence of rounds, where each round is performed as follows: 

1. the attacker takes the first token (the one which was put on s originally) and 
moves it along an arbitrary transition labeled by some a G Act; 
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2. the defender has to respond by moving the other token along some transition 
with the same label a. 

One player wins if the other player cannot move. Moreover, the defender wins every 
infinite play. It is easy to see that s ^ sm t iff the defender has a universal winning 
strategy. Simulation equivalence can be understood similarly; we simply allow the 
attacker to choose his token at the beginning of the first round. 

The finest (and probably the most important) behavioral equivalence we consider 
is bisimulation equivalence l|Park 19811 IMilner 19 89). 

Definition 4 

Let T = (5, Act, — >) be a transition system, s, t € S. A binary relation R over S is 
a bisimulation iff whenever (s, t) G R then for every a G Act 

• if s — ► s' then t t' for some t' such that (s 1 , t') G i?, 

• if t — ► t' then s — » s' for some s' such that (V, £') G i?. 

Processes s, f are bisimulation equivalent (or bisimilar), written s ~ t, iff there is 
a bisimulation R such that (s, t) G i?. 

A bisimulation game is defined in the same way as the simulation game. The only 
difference is that the attacker can choose his token at the beginning of every round 
(the defender has to respond with the other token). Again we have that s ~ £ iff 
the defender has a universal winning strategy in the bisimulation game initiated 
in s, t. For example, one can check that the processes s, t, u of Fig. ^are pairwise 
non-bisimilar. 

Internal computational steps which are not directly observable are by convention 
denoted by a special action t. The notion of weak bisimilarity (Milner 1989) allows 
to "ignore" the internal steps to some extent. 

Definition 5 

Let T = (S, Act, — >) be a transition system. The extended transition relation C 
SxActxS is defined as follows: s ^> t iff one of the two conditions holds: 

• a ^ t and there are s', s" G S, i,j G IN such that s^»s'A s" ^ t. 

• a = t and there is i G IN such that s — ► t. 

Here s — > s iff s — s'. In particular, this means that s => s for every s G S. A 
binary relation R over S is a weak bisimulation iff whenever (s, i) G R then for 
every a G Act 

• if s =4> s' then t ^> t' for some i' such that (s', £') G i?, 

• if t £' then s =4> s' for some s 1 such that (s', £') G R. 

Processes s, t are weakly bisimulation equivalent (or weakly bisimilar), written 
s ks t, iff there is a weak bisimulation i? such that (s, i) G i?. 

A weak bisimulation game is defined in the same way as the bisimulation game, 
but both players now use the extended transitions. 

We say that processes s and t are bisimilar up to i G IN, written s ~i t, if the 
defender has a winning strategy for the first i rounds of the bisimulation game 
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initiated in s and t. It is easy to see that ~i is an equivalence relation and that 
refines ~$ for every i £ N. Also note that s ~o ' for all processes s, t. An 
important observation, taken from QBaeten et al. 1987}) . is 

Theorem 1 

Let T = (S, Act, — >) be a transition system and let s, £ be processes of T such that 
each state t' reachable from t has only finitely many a-successors for every a S Act 
(note that there is no assumption about the process s). Then s ~ i iff s ~j i for 
every i G IN. 

Proof 

The "=*>" is obvious. For the other direction, one can check that the relation 
R = {(s',f) | (Vi £ K : s' ~j f) A t -»* i'} is a bisimulation: Since has 
finitely many a-successors, for each s' s" there must be some t' A t" such that 
Vi £ IN : s" ~j t". Now consider a move t' A £". Obviously, for each i 6 K 
there is s' —> Sj such that Sj ~j i". Each of the s' A Sj moves must be matched 
by some transition of t' . Since t' has only finitely many a-successors, there is a 
transition t' A t'" which was used infinitely many times. That is, there is an 
infinite sequence s^, Si 2 , . . . such that for each s,. we have Vi S IN : s,. ~j t'". This 
means Vz 6 IN : t'" ~^ i", and hence for every we have Vi £ IN : Si. ~j f". □ 

Weak bisimilarity up to i £ IN, denoted «j, is defined in the same way (we use the 
weak bisimulation game). The aforementioned observations about ~, are valid also 
for (incl. Theorem^ where the a-successors are considered w.r.t. =1*). 

Behavioral equivalences can also be used to relate processes of different transition 
systems. Formally, we can consider two transition systems to be a single one by 
taking their disjoint union (the labeling of transitions is preserved). 

The relationship among the introduced equivalences is given by = tr D — sm 3 r ^ J - 
Weak bisimilarity properly subsumes ~ and is incomparable with = tr and = sm . (We 
do not consider weak versions of trace equivalence and simulation equivalence in this 
paper.) There are also other behavioral preorders and equivalences studied within 
the framework of concurrency theory. It seems, however, that trace, simulation, 
and especially (weak) bisimulation equivalence are of special importance as their 
accompanying theories are developed very intensively. Moreover, each equivalence 
in the linear/branching time spectrum of l|van Glabbeek 19991 can be classified 
either as trace-like or as simulation- like. This means that —t r , —sm, and ~ are 
good representatives for the whole spectrum; techniques and results achieved for 
these equivalences usually extend to others. 

2. 2 Formal Models of Infinite- State Systems 

In this section we formally introduce some of the studied models of infinite-state 
systems. At a certain level of abstraction, most of them can be seen as various types 
of term rewriting systems. The structure of terms represents both control and data 
of the system, and the individual rewriting steps model atomic computational steps. 
We start with the definition of a general process rewrite system (PRS) jMayr 2000c| ). 
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Then, we define various subclasses of PRS by imposing certain restrictions on the 
introduced formalism. 

We assume a countable infinite set C of (process) constants. The abstract syntax 
of general process expressions is given by 

E ::= X | e \ E-E E\\E 

where the (meta)variable X ranges over C and e denotes the empty expression. 
Intuitively, "•" corresponds to sequencing, while "||" models a simple form of par- 
allelism. From now on we do not distinguish between expressions related by the 
structural congruence, which is the smallest congruence over £ satisfying the fol- 
lowing laws: "•" and "||" are associative, e is the unit for both operators, and "||" 
is also commutative. 

The set of all process expressions is denoted by £ . The sets of sequential and 
parallel expressions, denoted S and V , are formed by all process expressions which 
do not contain any "||" and respectively. Observe that parallel expressions can 
also be seen as multisets of constants. Given C C C, we use S(C), V(C), and £{C) 
to denote the set of all sequential expressions, parallel expressions, and general 
expressions, respectively, which contain only the constants from C . 

We also assume a countable infinite set A of actions, ranged over by o, 6, c, 

A process rewrite system (PRS) is a finite subset A of £ x A x £. Elements of A 
are called rules (a rule (a, a, (3) is usually written a —> 0). Given a PRS A, we 
use C(A) to denote the set of all constants appearing in the rules of A. We also 
use S(A), V(A), and £(A) to denote S{C(A)), T(C{A)), and £(C{A)) respectively. 
Moreover, A(A) denotes the set of actions which are used in the rules of A. 

Each PRS A determines a unique transition system 7a where £ (A) is the set 
of states, .4(A) is the set of actions, and the transition relation is determined by 
the following inference rules (which should be understood modulo the structural 
congruence over expressions introduced above): 

(E F) € A E A F E A F 

E^F E-G^F-G E\\G F\\G 

Various subclasses of PRS can be obtained by imposing certain restrictions on the 
form of the rules. Such a restriction is formally specified by a pair (A, B), where 
A and B are the subsets of expressions which can appear at the left-hand side 
and the right-hand side of rules, respectively. It has been argued in ( |Mayr 2 000c) 
that "reasonable" restrictions should satisfy A C B. Moreover, if A is an (A, B)- 
restricted PRS, then the set of states of 7a is restricted to B n £{A). Some of the 
most important subclasses of PRS are listed below. 

• Finite state (FS) systems. These are (C, C)-restricted PRS which correspond 
to "ordinary" nondeterministic finite automata; the only difference is that 
there are no initial/final states. 

• BPA systems. The restriction is (C,S). This model corresponds to the BPA 
(Basic Process Algebra) fragment of ACP (Baet en and Weijland 1 990). 

• BPP systems. The restriction is (C,V). BPP (Basic Parallel Processes) first 
appeared in the work l|Ohristensen 1993|l . 
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• PA systems. The restriction is (C,£). PA (Process Algebra) systems subsume 
both BPA and BPP systems and correspond to another natural fragment of 
ACP ( |Baeten and Weijland 1990| ). 

• PDA systems. The restriction is (<S, <S). It has been shown in IjCaucal 1992|l 
that every PDA system A can be efficiently transformed to a "normal form" 
A' where 

— the set C(A') can be partitioned into two disjoint subsets Control(A') and 
Stack(A'); 

— the rules are of the form p ■ X — ► q ■ /3 where p, q <E Control(A'), X 6 
Stack(A'), and e S(Stack(A')); 

— the set of states of 7a ' is restricted to those elements of S(A') which are 
of the form p ■ a where p 6 Control(A') and a £ S(Stack(A')). 

Hence, PDA systems correspond to pushdown automata ( |Hopcroft and Ullman 1979] 
Consistently with the standard notation, we write pa instead of p - a. Observe 
that BPA can be also seen as PDA with just one control state. 

• PN systems. The restriction is (V,P). PN systems correspond to the well- 
known model of Petri nets. Here the elements of C(A) are referred to as places 
and the states of 7a (i.e., multisets of places) as markings. In the rest of this 
paper we use the standard graphical representation of Petri nets to define 
PN systems — places are depicted as circles, and for every rule Xi\\ . . . \\X n A 
Fi|| ... || Y n we draw a new square labeled by "a". The square is connected 
to every Xi by an arrow pointing to the square, and to every Yj by an arrow 
pointing to Yj . For example, the middle part of Fig. represents the rule 

Qi||Cj ~* Qh the right-hand part represents the rules Qi z -~> Qk, Qi\\Cj ^> 
Q' k \\Cj etc. 

• PPDA systems. This is a subclass of PN known as "Parallel PushDown Au- 
tomata" (jMoller 1996|l . A system A is PPDA if the set C(A) can be parti- 
tioned into two disjoint subsets Control(A) and Stack(A) so that every rule 
of A is of the form p\\X A q\\f3 where p, q G Control(A), X £ Stack(A), and 
(3 E V(Stack{A)). 

For a PPDA system A, the set of states of 7a is restricted to those elements of 
'P(A) which are of the form p \\ a where p E Control(A) and a 6 P(Stack(A)). 
Usually we write pa instead of p\\a. 

• OC-A systems. These are PDA systems in normal form such that Stack(A) = 
{I,Z} and all transitions are of the form pZ A qPZ or rl A sP , where 
hj > 0. Here P denotes the sequential composition of i copies of the symbol 
/. The set of states of 7a is restricted to Qx{PZ \ i > 0}. Hence, OC-A 
systems are one-counter automata where the counter ranges over nonnegative 
values. The counter can be incremented, decremented (if positive) , and tested 
for zero. 

• OC-N systems. These are OC-A systems which in addition satisfy the follow- 
ing condition: if pZ A qPZ is a rule of A, then also pi A qPI is a rule of A. 
In other words, there are no "zero-specific" transitions which could be used 
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to test the counter for zero. OC-N systems are equivalent to Petri nets with 
at most one unbounded place. 

Let C be one of the just defined subclasses of PRS. A C-process is a state in 7a 
where A is a member of C. The class of all C-processes is denoted C. Important 
subclasses of BPA, BPP, and PA systems can be obtained by an extra condition 
of normedness. A BPA, BPP, or PA system A is normed if for every X S C(A) we 
have X — >* e. Hence, a system is normed if each of its processes can terminate via 
a finite number of transitions. The normed subclasses of BPA, BPP, and PA are 
denoted by nBPA, nBPP, and nPA, respectively. 

Let < be an ordering over process classes defined by Ci < C2 iff for every G\- 
process there is a bisimilar C2-process. The relationship among the introduced 
subclasses of processes (w.r.t. <) is shown in the following figure (we refer to 
(Moller 1996) for results about expressiveness). 



PDA PA PN 




BPA OC-N BPP 




FS 



Let ~ be a relation over processes. The problem of deciding ~ between processes of 
process classes A and B is denoted A ~ B. For example, the problem of deciding 
bisimilarity between BPA and BPP processes is denoted BPA ~ BPP, and the 
problem of deciding simulation preorder between PA a FS processes is denoted 
PA Q sm FS. 



3 Some Recent Techniques and Results 

In this section we explain some techniques which have recently been used to estab- 
lish new decidability/complexity results for equivalence-checking on infinite-state 
systems. The material is divided into three (sub)sections. In Section 13.11 we ex- 
plore the relationship between bisimilarity and simulation equivalence. Section 13.21 
sketches some techniques for decidability and upper complexity bounds. Section f3.3l 
deals with techniques for undecidability and lower complexity bounds. 

The generality and versatility of proof techniques is of course hard to measure. In 
the context of equivalence-checking on infinite-state systems, one good indication of 
a wider applicability of a given technique is a possibility to formulate its underlying 
principle in terms of transition systems (then we can say that the technique is "im- 
plemented" in a given syntax). However, such a formulation is not always possible 
despite a clear feeling that many proofs are just "instances" of the same idea. Here, 
we have to rely on an informal explanation and present an example which uses the 
technique in its simple and "clean" form. 
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3.1 The Relationship Between Simulation and Bisimulation 

Since formal definitions of simulation and bisimulation are quite similar, a natu- 
ral question is whether the decidability/complexity results achieved for one of the 
equivalences carry over to the other one. In this section we examine the question 
in greater detail. 



3.1.1 Reducing Bisimilarity to Simulation Preorder /Equivalence. 

According to the known decidability/complexity results for simulation and bisimi- 
larity (which will be presented in Section^), the problems A Q sm B and A = sm B 
are computationally harder than the problem A ~ B for all major process classes A 
and B. The aim of this section is to show that this is not a pure coincidence — there 
are general techniques which allow to (polynomially) reduce bisimilarity to simula- 
tion preorder/equivalence over many classes of infinite-state systems. The material 
presented in this section is based mainly on ( |Kucera and Mayr 2002d| ). 

We start with a simple observation about a specific power of the defender in 
simulation games. Although the defender moves only his token during a play, his 
choice of a defending move can indirectly "force" the attacker to do a specific tran- 
sition (with the attacker's token) in the next round. To illustrate this, we consider 
the first two rounds of the simulation game for the states s and t in the transition 
system of Fig. (left and middle). After the attacker plays his only a-move, the 

s t t 




Fig. 2. The defender can enforce b or c in the second round. 



defender can choose between moving to % or t c . When he moves to i&, he forces the 
attacker to use a 6-move in the next round — if the attacker plays any other action, 
the defender moves to a state which enables all actions forever and therefore wins. 
Similarly, when the defender moves to t c , he forces the attacker to use a c-move. We 
say that the b- and c— transitions are enforced by % and t c , respectively. To sim- 
plify our figures, we indicate the states which enforce the actions of their out-going 
transitions by black-filled circles. So, the middle part of Fig. [3]can be simplified to 
the right-hand part of Fig. [5] 

The defender's ability to enforce the next attacker's transition is a crucial ingre- 
dient of several "hardness proofs" for simulation preorder/equivalence. (We address 
this issue in greater detail in Section fa . 31 where we also deal with a similar technique 
for bisimilarity). Moreover, this was used in ( |Kucera and Mayr 2002d| ) to show that 
there are general "reduction schemes" allowing for efficient reductions of the A ~ B 
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problem to the A C sm B problem for certain process classes A and B. More specif- 
ically, such a "reduction scheme" defines for every pair of processes s, t a new pair 
of processes s', t' so that s ~ t iff s' rz sm t 1 . The scheme is "applicable" to process 
classes A and B if for all processes s £ A and ieBwe have that the s' and t' arc 
efficiently definable in the syntax of A and B, respectively. 

The existing reduction schemes are based on a possibility to emulate one round 
of the bisimulation game by one or two rounds of the simulation game. Here, the 
above discussed enforcing of transitions is used to emulate the "exchange of tokens" 
which can take place in the bisimulation game. To get a better idea on how this 
can be done, consider two states s, t of transition systems S and T which have the 
same set of actions Act and max{d(<S), d{T)} < 3 (i.e., the branching degrees are 
at most 3). Further, let us suppose that s and t have just two successors Si, S2 and 
ti, ijj, respectively (see top of Fig. OJ). We show how to emulate one round of the 
bisimulation game initiated in s and t by at most two rounds of the simulation 
game initiated in (other) states s' and t' of transition systems S' and T' so that 

S ~ t iff S 1 Qsm t' ■ 




Fig. 3. The reduction of bisimilarity to simulation preorder. The systems S and T 
are in the first row (left and right, resp.), and the systems S 1 and T are in the 
second row (left and right, resp.). 

Here the systems S' and T (see Fig. |2Jl are obtained just by extending S and 
T by other states and transitions labeled by fresh actions (the set of actions of S' 
and T is denoted by Act'). The definition of S' (or T') depends just on S (or T), 
Act, and max{<i(iS), d(T)}. The rules of the bisimulation game allow the attacker 
to choose his token at the beginning of every round. If he plays with the token put 
on s (e.g., by performing s A si), the emulation is trivial and takes just one round 
of the simulation game initiated in s' and t' (in our case, the attacker would play 
s' A s[ and the defender could also just mimic the response from the bisimulation 
game between s and t). Now suppose that the attacker takes the other token and 
plays, e.g., t A f 2 - In this case, the emulation is slightly more complicated and takes 
two rounds. First, the attacker performs the Af-loop on s' . By doing so, he in fact 
says that he wants to emulate the second a-transition of t in T (hence, the A has a 
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and 2 as its upper and lower index, respectively). To enable that the attacker can 
emulate moves from any state (not just t), we provide max{d(iS), d(T)} distinct 
Af -loops for each action x £ Act. In Fig. we indicated just those successors of s' 
and t' which handle the action a; if there was another b € Act, there would be a 
family of analogously constructed A* and 8% transitions of s' and t' even if s and t 
have no outgoing ^-transitions. As a response to the Af-loop played by the attacker, 
the defender can choose a state which enforces cither 8f, 8% , or <5g. Intuitively, he 
says that he wants to emulate the move to the first /second/third a-successor of s 
in S. The 8$ is needed because the defender must be able to act accordingly for any 
position of the attacker's token. This finishes the first round, i.e., the first emulation 
phase where each of the two players makes his choice. The purpose of the second 
round is to ensure that the resulting position of tokens (after performing the second 
round) really corresponds to the choice which has been made. In our scenario, the 
attacker is forced to play the chosen 8f action; and the only possibility available to 
the defender is to go to the state which was previously selected by the A£ action, 
i.e., to t' 2 . 

If one of the two players cheats in the first round by trying to emulate a transition 
which does not really exist in s or t, the other player wins. For example, if the 
attacker performs the A3 -loop on s' (i.e., he chooses the third a-successor of t 
which does not exist), the defender can respond by going to a state which can 
simulate everything. Similarly, if the attacker plays A" and the defender enforces 
£3 , the attacker wins in two rounds by performing 8£ and then ■/. It follows that 
s ~ t iff s' C STO t' . 

The above scheme is applicable to process classes A and B if the syntax of 
A and B allows to "test for non-enabledness" of transitions. Examples include 
PDA, BPA, OC-A, 1-safe Petri nets, finite-state automata, etc. This means that, 
e.g., the problem PDA ~ FS is polynomially reducible to PDA C sm FS and 
FS C sm PDA. Moreover, simulation preorder is easily reducible to simulation 
equivalence as follows: given processes s and t, we define other processes s' and 
t' which have (exactly) the transitions s' — > s, s' — > t, and t 1 — > t. We see that 
s Q sm t iff s' — sm t' . This reduction is easily applicable to almost all process 
classes (thus, e.g., PDA ~ FS is polynomially reducible to PDA = sm FS). How- 
ever, there are also process classes to which the above scheme is not applicable. For 
example, general Petri nets cannot test a place for non-emptiness and therefore we 
cannot implement the families of A and 8 transitions in the syntax of Petri nets. 
However, the bisimilarity problem for Petri nets is still polynomially reducible to 
the problem of simulation preorder/equivalence by employing a different reduction 
scheme (also presented in jKucera and Mayr 2002d| )). There are also models (like, 
e.g., BPP or PA) where none of the known schemes works. An interesting question 
is if the existing schemes can be further generalized so that they cover all "reason- 
able" classes of infinite-state systems. A more detailed discussion can be found in 
pCucera and Mayr 2002d| ). 
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3.1.2 Reducing Simulation Equivalence to Bisimilarity. 

The results which will be presented in Section 01 indicate that there cannot be any 
general scheme for an efficient reduction of simulation equivalence to bisimilarity. 
Nevertheless, there is a general principle which can, in some sense, be seen as such 
a "reduction" . Of course, this "reduction" is not effective in general. It can be 
effectively applied only in some restricted cases. Nevertheless, it also reveals an in- 
teresting relationship between simulation equivalence and bisimilarity and therefore 
we present it shortly. This subsection is based on ( |Kucera and Mayr 2002 b\ . 

Let T = (S,Act, — >) be an image-finite transition system. A transition s — > t is 
maximal iff for every transition of the form s — * t' we have that if t E S m t' then 
also t' C sm t. In other words, s — > t is maximal if t is maximal w.r.t. simulation 
preorder among all a-successors of s. Note that if the set of all a-successors of s 
is nonempty, there must be at least one maximal a-transition from s because T is 
image-finite. For example, the only maximal transition of the process u of Fig. ^ is 
the middle one. 

Definition 6 

Let T = (S, Act, — >) be an image-finite transition system. We define the system 
T = (S , Act, i— »•) where S — {s \ s € S} and sAt iff s-^>t is & maximal transition 
of T. 

Hence, T is obtained from T by renaming its states and deleting all non-maximal 
transitions. Now consider a simulation game between states s and s. Intuitively, 
none of the two players can gain anything by using the non-maximal transitions 
because they are surely not the most optimal attacks/defenses. Thus, we obtain 
that s = S m s for every s € S. From this we immediately get that s = sm t iff 
s =sm t for all s,t 6 S. Finally, note that if s = sm t then also s ~ t. To see this, 
one can readily check that the relation R = {(s,t) \ s = sm t} is a bisimulation. As 
a simple consequence of presented observations, we obtain 

Theorem 2 

Let T be an image- finite transition system. For all s, t £ S we have that s = sm t 
iff s ~ t, where s and t are the "twins" of s and t in T, respectively. 

Using the previous theorem one can "reduce" certain simulation problems to their 
bisimulation counterparts. For example, instead of deciding simulation equivalence 
between s and t, we can (in principle) decide bisimilarity between s and t. However, 
this "reduction" is rarely effective. If T is generated by a PRS A, one cannot 
compute another PRS A which generates the system T in general. It is not even 
clear if such a A exists. Nevertheless, the effective construction is possible in some 
restricted cases. For example, if A is deterministic, then trivially A = A. If A is a 
FS system, then A is constructible in polynomial time because simulation preorder 
between the states of 7a is computable in polynomial time. A less trivial example 
are OC-N systems — if A is an OC-N system, then A is an effectively definable 
OC-A system ( Jancar et, al. 200T)jl . Hence, certain simulation problems for OC-N 
processes are effectively reducible to the corresponding bisimulation problems over 
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OC-A processes, and the decidability of some of them has indeed been established 
in this way IjJancar et al. 2 000). 



3.2 Decidability and Upper Complexity Bounds 

3.2.1 Bisimulation Bases. 

The technique of bisimulation bases was pioneered by Caucal in QCaucal 1990). 
We start by explaining the underlying principle which is to some extent model- 
independent. The introduced notions are then illustrated on a concrete example. 
Finally, we show how the method applies to weak bisimilarity. 

Since the "classical" results about bisimulation bases are carefully presented in 
i|Burkart et al. 1999|) . we mention them just shortly. The main point of this section 
is the part about weak bisimilarity which is based on recent results ( |Kucera and Mayr 2002c| ). 

Definition 7 

Let T\ = (Si, Act, — >i) and T2 = (S2, Act, — ^2) be two transition systems; we will 
write just — > instead of — >i, — >2- Let R C SixS2- We say that a pair (s, t) G S\ X S2 
expands in R if 

• for every sAs' there is some t t 1 such that (s' , £') 6 R; 

• for every t A t' there is some s A s' such that (s' , t') 6 R. 

Now let P,R C S\xS2- We say that P expands in R if all pairs of P expand in R. 

Let Ci and C 2 be subclasses of process rewrite systems (not necessarily different), 
and let Ai <E Ci and A 2 S C 2 . Further, let 

Bis = {(a, 0) \aeT Al ,j3 £Ta 2 ,(x~ 8} 

be the bisimilarity relation between the processes of Ai and A2 . A bisimulation base 
B (for A 1 and A 2 ) is a finite subset of Bis consisting only of "crucial" bisimilar 
pairs from which the whole relation Bis can be generated in some "syntactic" way. 
More precisely, one defines an operator Gen which for each relation R C 7a x x 7a 2 
returns another relation Gen(R) C T Al x 7a 2 so that the following conditions are 
satisfied: 

(1) Gen(B) = Bis. 

(2) Gen is monotonic, i.e., if R C R 1 then Gen(R) C Gen(R'). 

(3) If R is a relation which expands in Gen(R), then also Gen(R) expands in 
Gen(R). (In other words, if R expands in Gen(R) then Gen(R) is a bisimu- 
lation.) 

Of course, finite bisimulation bases, and the associated Gen operators, exist only 
for some subclasses Ci and C 2 of PRS. If the question whether (a, (3) £ Gen(R) 
is semidecidable (R being finite), then the question whether R expands in Gen(R) 
is also semidecidable. Therefore, the problem Ci ~ C 2 is semidecidable — to verify 
that a ~ B, we can run a semidecision procedure which is guaranteed to find a finite 
relation R which expands in Gen(R) and for which (a, (3) G Gen(R) (on condition 
that such a relation R exists). If a ~ (3, then this procedure halts because the finite 
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base B must eventually be found (observe that B has all the required properties). 
And if the procedure halts because some relation R satisfying all of the required 
properties is found, we can conclude that Gen(R) is a bisimulation (due to (3) 
above), hence a ~ f3. 

Since the negative subcase Ci ^ C 2 is semidecidable due to generic reasons (see 
Theorem P), we in fact obtain the decidability of the Ci ~ C 2 problem. 

Now assume that the membership in Gen(R) is even decidable for every R, 
and that for all Ai and A2 there is an effectively computable relation Q which is 
guaranteed to subsume the base. Then the base is computable by the algorithm 
of Fig. 0] Note that if B C i?, then B expands in Gen(R), because B expands 
in Gen(B) and Gen is monotonic (see (2) above). This means that B C B is an 
invariant of the repeat-until loop of the algorithm of Fig. 0] Moreover, if Q is 
computable in polynomial time (in the size of Ai and A2), and the membership in 
Gen(R) is decidable in polynomial time, then the base is computable in polynomial 
time. 

Input: Process Rewrite Systems Ai £ Ci, A2 6 C2. 
Output: The base B. 

B :=Q; 
repeat 

R := B; B := 

for all (q, (3) £ R do 

if (a, (3) expands in Gen(R) then B := B U {(a, /3)} R 

od; 

until B — R 

B := B; 

Fig. 4. An algorithm for computing B 
Example 1 

If Ci = C 2 = nBPA and Ai = A 2 = A, one can put 

B = {{X, a)\X £ C(A),a 6 5(A), X - a} 

and Gen(R) — Congr(R), where Congr(R) is the least congruence over 5(A) w.r.t. 
"•" subsuming R. The B can be over-approximated by a finite relation 

Q = {(X,a) I X e C(A),a £ 5(A), norm(X) = norm(a)} 

where norm(a) is the length of the shortest sequence w S Act* such that a —> e. 
Realize that B and Q are finite relations because bisimilar processes must have the 
same norm and there are only finitely many processes with a given finite norm. 

To get some idea on how all this works, let us prove that Gen(B) = Bis. Clearly 
Gen(B) C Bis, because bisimilarity is a congruence over 5(A) w.r.t. To prove 
Bis C Gen(B), consider some a ~ /?; by induction on norm(a) = norm((3) we 
prove that (a,/?) S Gen(B). If normia) = 1, then a = X for some X and hence 
(ct,P) £ B. Now let norm(a) > 1. Then a = X ■ 7 and (3 = Y ■ 6; let us assume 
that norm(X) < norm(Y) (the other case is symmetric). Let X ■ 7 ^> 7 where 
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length(w) — norm(X). The bisimilar process Y ■ S must be able to match this 
sequence of transitions by some Y • 6 — > £ • 5 so that 7 ~ £ • 5. Observe that 
(7, £ • <5) € Gen(B) by induction hypothesis. As X • 7 ~ F • <5 and 7 ~ £ • <5, we also 
have X • £ • 5 ~ F • (5 and thus X • £ ~ F by applying the right cancellation law which 
is admitted by normed BPA processes. This means that ( F, X ■ £) G 23. To sum up, 
(7,£-<5) G Gen(B) and (F,X-£) G 6, which means that also (X- 7 , F-J) G Gen(B). 

The operator Gen is clearly monotonic, and one can show that the condition (3) 
above is also satisfied. 

From the previous example, it follows that the problem nBPA ~ nBPA is 
decidable. This proof is essentially due to Caucal IjCaucal 1990|l . Later, the structure 
of B was further simplified so that its size (and the size of Q) became polynomial 
in the size of A, and a suitable Gen was designed so that the algorithm of Fig. 0] 
terminates in polynomial time (Hirshfel d et al. 1996afl . Hence, nBPA ~ nBPA 
is in P. In l|Uhristcnse n et al. 19 95). it has been shown that a finite bisimulation 
base exists also for general (not necessarily normed) BPA processes. This implies the 
semidecidability (and hence also the decidability) of the BPA ~ BPA problem. An 
algorithm for computing the bisimulation base for general BPA processes appeared 
in IjBurkart et al. 1*9 95). and this result led to an elementary upper complexity 
bound for the BPA ~ BPA problem (a later result due to Srba IjSrba 2 002c) 
shows that the problem is PSPACE-hard). 

Finite bisimulation bases exist also for BPP processes (Christcnscn et al. 1993). 
In the case of normed BPP processes, the base is small and can be computed in 
polynomial time (Hirshfeld et al. 1996b). The general problem BPP ~ BPP is 
PSPACE-hard l|Srba 2002b|l . and in fact PSPACE-complete IjJancar 2003jl (see 
also Section l3.2.3J) . 

The technique of bisimulation bases works also for weak bisimilarity, if the notion 
of expansion is modified as follows: 

Definition 8 

Let T\ = (Si, Act, — ►) and T 2 = (S2, Act, — >) be transition systems, and let R C 
5*1 x 5*2 be relations. A pair (s,t) 6 S± x S2 weakly expands in R if 

• for every s — > s' there is some t =4> t' such that (s', t') G R; 

• for every t t' there is some s =4> s' such that (s', t') G R. 

Let P, R C SixS2- We say that P weakly expands in R if all pairs of P weakly 
expand in R. 

The "asymmetry" which appears in the definition of weak expansion matches the 
original definition of weak bisimilarity used in ( Milncr ~989|) . The principle would 
work also for the "symmetric version" of weak expansion, but the introduced asym- 
metry leads to important algorithmic simplifications. 

Example 2 

Let Ci = BPA, C 2 = FS, A be a BPA system and A 2 a FS system such that 
C(A) l~l C(A 2 ) = 0. For technical convenience, we put Ai = A U A 2 . Note that Ai 
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is a BPA system. Now let 

B = {{AX, Y) | A G C(A), X, Y G C(A 2 ), AX « Y} 
u p,7)|ieC(A), yeC(A 2 ), 
U {(e,Y) | y GC(A 2 ), e« Y} 

Note that £> can be over-approximated by a relation Q of size (9(|Ai| • |A 2 | 2 ) which 
consists of all syntactically conformable pairs. 

For every relation R C Q we define Gen(R) to be the least relation K (between 
states of 7a ! and states of 7a 2 ) subsuming R such that 

• whenever (aX , Y) G K and (13, X) e K, then also (a/3, Y) e if; 

• whenever ((3,X) G if where norm((3) = oo, then also (p-y,X) G if for all 
7S«S(Ai). 

One can readily check that Gen(B) = Bis and that Gen is monotonic. The proof 

that the condition (3) is also satisfied is more involved and can be found in ( |Kucera and Mayr 20 02c 

Since the membership in Gen(R) is easily decidable in polynomial time, one is 
tempted to conclude that the algorithm of Fig. 0] computes the base in polynomial 
time. This is indeed the case, but an additional problem has to be solved first. 
Let us consider, e.g., a pair of the form (^4, Y) where A G C(A) and Y G C(A 2 ). 
According to Definition|Hl (A, Y) weakly expands in Gen(R) if for every "A" move 
of one of the two processes there is a "=3>" move of the other process such that 
the resulting pair belongs to Gen(R). The problem is that A can have infinitely 
many =S> successors and hence we cannot simply try them one by one. If we denote 
Reach a A = {a \ A =3> a} and Genx(R) = {pt \ (a,X) G Gen(R)}, the question 
whether for a given Y A X there is some A a such that (a, X) G Gen(R) 
reduces to the problem of checking whether Reach a A n Genx(R) = 0- Since both 
sets can be infinite, the key is to find a suitable finite representation for them. 
In this case, it suffices to employ finite-state automata — both sets are regular and 
the associated finite-state automata are small and efficiently computable. Now the 
emptiness of Reach ^ n Genx(R) can be decided in polynomial time by standard 
methods of automata theory ( |Hopcroft and Ullman 19791 ). 

The details can be found in ( |Kucera and Mayr 20 02c ) , where a similar method is 
used to show that also the problem nBPP ~ FS is decidable in polynomial time. 
In this case, the set of states which are reachable from a given BPP process in one 
move is represented by a context-free grammar. Since the structure of the base 
is still regular, one can rely on the standard result saying that the emptiness of the 
intersection of a given CF-language and a given regular language can be decided in 
polynomial time. Recently, the method for BPA and FS processes described in Ex- 
ample was generalized to PDA and FS systems and other behavioral equivalences 
( |Kucera and Mayr 2004| ). In IjBrazdil et al. 2004j) . it is shown that the technique of 
bisimulation bases is applicable also to probabilistic bisimilarity and probabilistic 
extensions of BPA, BPP, and PDA processes. 
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3.2.2 Characteristic Formulae for Finite-State Processes. 

The problem of checking a given behavioral equivalence between an infinite-state 
process g and a finite-state specification / has recently been identified as an im- 
portant subcase of the general equivalence-checking problem. There are two main 
reasons why this question attracts a special attention. First, in equivalence-based 
verification, one usually compares a "real-life" system with an abstract behav- 
ioral specification. A faithful model of the real-life system often requires features 
like counters, or subprocess creation, or unbounded buffers, that make the model 
infinite-state. On the other hand, the behavioral specification is usually abstract, 
hence naturally finite-state. Moreover, infinite-state systems are often abstracted to 
finite-state systems even before applying further analytical methods. This approach 
naturally subsumes the question if the constructed abstraction is correct (i.e., equiv- 
alent to the original system). The second reason is that checking equivalence be- 
tween an infinite and a finite-state process is computationally easier than comparing 
two infinite-state processes (as also demonstrated by results of Section |3J. 

In this section we first recall the notion of a characteristic formula and show how 
to construct characteristic formulae in the modal /z-calculus (Steffen and Ingolfsdo ttir 1994| ). 
Then, we concentrate on bisimulation-likc equivalences. We present a simple theo- 
rem which reformulates the problem of bisimilarity between an infinite and a finite- 
state process to some kind of "reachability question". This approach originated 
in IjJancar and Moller 19951 IXbdulla and Kindahl 19951 Uancar and Kucera 1997f) . 
A more abstract formulation which applies also to weak bisimilarity is due to 
HJancar et al. 2 0011. Using this result, we show that characteristic formulae for 
finite-state systems w.r.t. bisimulation-like equivalences can also be constructed in 
the branching-time logic EF. This logic is much simpler than the modal /z-calculus, 
and consequently the model-checking problem with the logic EF is decidable for 
many classes of infinite-state systems. Thus, a number of decidability/complexity 
results about checking bisimilarity between infinite and finite-state processes have 
been obtained IjJancar et al. 2001). 

Definition 9 

Let T = (F,Act,—>) be a finite-state system, / G F, and <-> an equivalence over 
the class of all processes. Let C/ be the class of all processes s such that the set of 
actions of s (in its underlying transition system) is included in Act. A formula tp is 
characteristic for / w.r.t. <-> if for every s £ C/ we have that s «-> / iff s satisfies tp. 

Characteristic formulae w.r.t. ~, (for given i 6 IN and Act) are easily definable in 
Hcnncssy-Milner (H.M.) logic (Miln er 1989(1 . The syntax of H.M. logic is given by 

tp ::— tt | tp A tp | -up (a)tp 

where a ranges over actions. Formulae are interpreted over processes; the proposi- 
tional connectives have the standard meaning and s \= (a)tp iff there is some sA( 
such that t \= tp. A formula -i(a)-<tp is usually abbreviated to [a]tp. 

Now consider the transition system of Fig. 03 The behavior of / and h is de- 
scribed (up to bisimilarity) by the following recursively defined properties <pf and 
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/ b h 



Fig. 5. Processes / and h. 

tph, respectively. 

ip f = (a)(pf A (a)iph A (b)ip h A [a](ipfV<ph) A [b]ip h 
tp h = (b)tp f A (b)ip h A [a]ff A [&](¥>/ V 

These equations can be used to construct characteristic formulae for / and h w.r.t. 
~j; we inductively define the family of £{ and formulae as follows: 

Co = tt e i = tt 

Here V 3 [4 r /V'] denotes the formula obtained from 95 by replacing each occurrence 
of subformula ip with formula £. A straightforward proof confirms that for every 
process s £ C/ and i G IN we have that s ~i / iff s \= £,{, and s ~< /i iff s |= £'\ 
By Theorem^ this means that /\™ £{ and /\°^ & are characteristic formulae for 
/ and h w.r.t. ~, respectively. These infinite conjunctions can be encoded in the 
modal /i-calculus (Kozen 1983 ) by translating the recursive dependence between <pf 
and (fh into an explicit greatest fixed-point definition; thus, we obtain the formula 

& = vS- (a)S A (a)ip h A (b)ip h A [a](S V ip h ) A [b]ip h where 
tp h = vT- (b)S A (b)T A [o]ff A [b]{S V T) 

An analogous construction works also for weak bisimilarity. Instead of the "(a)" 
modality of H.M. logic we employ its "weak form" ((a)) defined by ((a)) (p = T (a)0 T tp 
where s \= <> T tp iff there is s =4> t such that t \= <p. Since the "O t " is expressible 
in the modal /i-calculus, one can construct characteristic formulae w.r.t. w in this 
logic. 

Characteristic formulae w.r.t. simulation equivalence arc also easily definable in 
the modal /i-calculus. To see this, examine the recursively defined properties ipfi 
and Qf,Qh- 

ipf ee (a)tpf A (a)i> h A (b)ip h Qf EE [a](QfVQ h ) A [b]g h 

1p h EE (b)lpf A (b)4> h Q h EE [ojff A [b](QfVQ h ) 

A closer look reveals that for every s £ C/ we have s \= ipf iff / C sm s, and s \= Qf 
iff s C sm /. Hence, s — sm f iff s \= ipfAQf. The formulae ipf and Qf can be encoded 
in the modal /i-calculus similarly as the formula ipf above. 

To sum up, the modal /i-calculus is sufficiently powerful to express characteristic 
formulae w.r.t. bisimilarity and simulation equivalence, and the size of these formu- 
lae is essentially the same as the size of the underlying transition system of /. Thus, 
the problem of checking bisimilarity and simulation equivalence with a finite-state 
process is polynomially reducible to the model-checking problem with the modal 
/i-calculus. This is applicable to PDA and BPA processes where model-checking 
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the modal ^-calculus is known to be EXPTIME-complete ( Walukic wicz 200l)l : 
hence, the problems PDA ~ FS, PDA « FS, PDA C sm FS, FS C sm PDA, and 
PDA = sm FS arc in EXPTIME. The bounds for simulation are already tight, 
because these problems are also EXPTIME-hard flKucera and Mayr 2002a| ). Ac- 
tually, this holds even for BPA. However, we can do better for bisimilarity; the 
problems PDA ~ FS and PDA « FS are PSPACE-complete jMayr 2000b| 
|Kucera and Mayr 2002a| . This requires an application of a different method which 
is described below. 

If C is a class of processes such that = ~j over C x C, then r^> i is a 

bisimulation relation and hence ~i_x = — ~ over C x C. For example, if 
C is the set of processes of a finite-state transition system with k states, then 
surely = because any equivalence over C has at most k equivalence 

classes and ~t+i £ ~i f° r every t g M. The same holds for «j. The following 
theorem IjJancar et al. 2001) presents a simple (but important) observation about 
the problem of bisimilarity-checking with finite-state processes. 

Theorem 3 

Let Q = (G, Act, — >) be a (general) transition system and T — (F, Act, — >) a finite- 
state transition system with k states. States g £ G and / G F are bisimilar iff the 
following conditions hold: 

• 9 ~fc /; 

• for each state g' such that g — ►* 3' there is a state f £ F such that 5' /'. 
Proof 

"=>" is obvious. To prove the "<^=" direction, we show that the relation R C G x F 
given by 

R = {(g'J')\9^* 9' and g> ~ fc /'} 

is a bisimulation. Let (<?',/') £ R and let A 3" for some a £ Act (the case when 
/' A /" is handled in the same way). By definition of there is an /" such that 
/' A /" and g" ~k-i /"• It suffices to show that g" ~£ /"; as g — >* <?", there is a 
state f of T such that 5" ~fc /. By transitivity of ~fc_i we have / ~fc_i /", hence 
/ f" (remember that ~k-i = over F x F). Now g" ~fc / f" and thus 
g" ~fc /" as required. Clearly (g,f) £ R and the proof is finished. □ 

The previous theorem holds also for weak bisimilarity (we use ~k instead of 
and 4> instead of A). 

Theorem|3is applicable to a variety of models. Since ~& is decidable for all "rea- 
sonably defined" classes of processes, the problem of bisimilarity-checking between 
infinite-state processes of a class C and finite-state processes reduces to a kind of 
reachability problem for C — all we need is an algorithm which, for a given process 
s of C, decides if s can reach a state s' which is not related by ~fc to any state of 
the considered finite-state system. In some cases, this is quite easy. 
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Example 3 

Let pa be a PDA process. The behavior of PDA processes up to ~fc is determined 
by the current control state and the top k symbols of the stack. Hence, for all 
processes q(3 where the length of (3 is bounded by k we do the following (re-using 
the computational space for each of the exponentially many g/3's): first we decide 
if there is some state / of the given finite-state system such that qf3 ~& / (note 
that this can be done in polynomial space). If not, we either decide if pa — >* 
q(3 (when \j3\ < k), or if pa — >* q/3j for some 7 (when \0\ = k). This can be 
done in polynomial time by employing standard techniques for pushdown automata 
( |Hopcroft and Ullman 19791 ). Thus, we obtain a polynomial-space algorithm for the 
problem PDA ~ FS (the PSPACE-hardness is due to JMayr 2000b| )). 

Similarly, one can handle other models like BPP, PA, or Petri nets; proofs are still 
simple but not completely immediate ( Janc ar and Moller 1995l|Jancar and Kucera 1997(1 . 

With help of Theorem one can also construct characteristic formulae w.r.t. 
strong and weak bisimilarity in the logic EF. This logic is obtained by extending 
the H.M. logic with the "O" (reachability) operator; s \= 0<p iff there is s — ►* s' 
such that s' |= tp. For the construction of characteristic formulae w.r.t. «, we also 
need the aforementioned "O r " operator to express the "((a))" modality. The dual 
operators are = -><>-np and T ip = -iO T -><^. A characteristic formula for the 
process / of Fig. 0w.r.t. ~ (or «) in the logic EF looks as follows: 

& = e{ a n(e{v^ 1 ) (i) 

Here £; k and are characteristic formulae for / and h w.r.t. (or Wfe). Note 
that, in general, the size of the formula (JIJ is exponential in the size of the un- 
derlying transition system of /. However, the size of the DAG 1 representing this 
formula is only polynomial. This is important because the complexity of many 
model-checking algorithms depends on the size of the DAG rather then on the 
size of the formula itself. Moreover, the DAG representing $^ is computable in 
polynomial time. Thus, results about model-checking with the logic EF carry over 
to the problem of strong/weak bisimilarity with a finite-state process. For exam- 
ple, model-checking the logic EF is decidable for PA processes ( |Mayr 2001| ) (while 
model-checking the modal /^-calculus is undecidable already for BPP), and thus we 
obtain the decidability of PA ~ FS and even PA w FS. Since model-checking the 
logic EF for PDA is PSPACE-complete ifW alukiewiczTO OO ) . we obtain that the 
PDA - FS and PDA « FS problems are in PSPACE and hence PSPACE- 
complete ( |Kucera and Mayr 2002a| . 

Recently, Theorem [3] and the corresponding results about characteristic formulae 
have been generalized also to other behavioural equivalences l|Kucera and Schnoebelen~2 004 ) . 



A DAG (directed acyclic graph or "circuit") representing a formula <p is obtained from the 
syntax tree of ip by identifying the nodes corresponding to the same subformula. 
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3.2.3 DD-functions 

The technique of DD-functions was introduced in IjJancar 2003(1 in order to show 
that the problem BPP ~ BPP is in PSPACE. Combined with Srba's result 
IjSrba 2002b). PSPACE-completeness has thus been established. The technique of 
DD-functions was then also used in demonstrating the decidability of BPA ~ BPP 
IjJancar et al. 2003| . 

Let T = (S,Act, — >) be a transition system. Stipulating that min0 = u>, for all 
s, t £ 5 we define the distance from s to t by 

dist(s, t) = min { length(w) s —> t }. 

Here u denotes an infinite amount. The set IN U {w} is denoted JN W , and we put 
u) — n = u> for each n £ IN^ . 

DD-functions are defined inductively. First, for every action a we define a function 
dd a which, for every process s, gives the "distance to disabling" the action a. 
Formally, 

dd a (s) = min { dist(s, t) \ t has no a-successor }. 

Given a tuple of (so far defined) DD-functions T = {d\, . . . , dk), we observe that 
each transition s — > t determines a change of denoted !F{t) — J~{s), which is a 
fc-tuple of values from { — 1} U JN W given by 

T{t) - F{s) = (di(t) - rfi(s), . . . , d k (t) - 4(s)). 

Note that di(s) = lo implies di(t) = to. For technical reasons, we can then view 
di(t) — di(s) as undefined, being interested only in changes of (so far) finite DD- 
functions. 

The notion of change is used in the inductive step of the definition of DD- 
functions. For each triple (a,^ 7 , S), where a is an action, J 7 is a fc-tuple of DD- 
functions, and 5 is a fc-tuple of values from {—1} UlN w , the function dd^ a ^^) (dis- 
tance to disabling the action a causing the change 5 of T) is also a DD-function, 
defined by 

ddr a ,T,&) ( s ) = mm { dist(s, t) | Vr : if t A r then J-(r) — J-(t) =/= S }. 

Here we (implicitly) assume that all functions from T are finite on t, which means 
that J-{r) — F{£) is defined. Note that the dd a functions can be viewed as ddr a j:n 
where T and 6 arc the empty tuples (i.e., 0-tuples). 

It is easy to show that all DD-functions are bisimulation invariant, i.e., s ~ t 
implies d{s) = d(t) for all DD-functions d. So, equality of the values of all DD- 
functions is a necessary condition for two states being bisimilar. For image-finite 
transition systems, this condition is also sufficient. 

Let A be a BPP system. A key observation in (Jancar 2003) reveals that DD- 
functions on states of A coincide with "norms" w.r.t. effectively constructible sub- 
sets of C(A). For all Q C C(A) and a € V{A) we define 

norm q (a) = min { dist(a, (3) | (3 does not contain any constant from Q }. 

The result of IjJancar 2003(1 says that for every DD-function d there is some Q C 
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C(A) such that d(a) — NORMg(a) for every a £ V(A). Since there are only finitely 
many subsets of C(A), there are only finitely many DD-functions which are pairwise 
different on the states of A. 

So, to find out if a ~ j3, it suffices to construct the relevant Q's and check whether 
norm q (a) = normq(/3) for each of them. Although there can be exponentially 
many relevant <2's, there is an algorithm performing the mentioned checking in 
polynomial space IjJancar 20 03). 

DD-functions were also used in Q.Iancar et al. 2003)) to demonstrate the decid- 
ability of BPA ~ BPP. A key point was to prove that DD-functions are prefix- 
encoded over BPA processes, which, roughly speaking, means that large finite values 
of DD-functions on BPA processes are tightly related to (i.e., represented by) large 
prefixes of these processes. More precisely, given a BPA system A, for each DD- 
function d there is a constant c such that if c < d{Xa) < uj and X — > 7 then 
d("fa) — d(Xa) = |j7|| — \\X\\ (where || • || denotes the norm, i.e., \\/3\\ = dist(/3,e)). 
Hence, a BPA process cannot perform a (short) sequence of moves causing a differ- 
ent change of two large finite DD-values. We say that DD-functions are dependent 
over BPA processes, i.e., for every two DD-functions d\, di there is c such that if 
c < di(a) < uj, c < ^(a) < ui and a — > (3 then di(/3) — d\(a) = <fc(/3) — d®{(x). 

If we are to find out whether a ~ j3 for a BPA process a and a BPP process (3, we 
can proceed as follows. By using the above mentioned results from l|.Tancar 2 003 1, 
one can use standard methods from Petri net theory to show that we can effectively 
check whether there are two DD-functions which are not dependent over the states 
reachable from j3. If there are two such (independent) DD-functions then (3 is not 
bisimilar to any BPA process. If all DD-functions are (pairwise) dependent then 
we can show that there is a constant C such that for every 7 reachable from 
(3 all finite DD-values which are larger than C coincide (i.e., if c < ^1(7) < uj 
and c < 0-2(7) < w, then £^(7) = ^2(7)). Hence, all "large" DD-values can be 
represented by a single number. One can even effectively construct a one-counter 
process (3' which is bisimilar to f3 — the counter is used to represent the "large" 
DD-values, while "small" DD-values are remembered in the finite control unit. The 
process (3' is generally not definable in the OC-A syntax, because there can be a need 
to reset the counter back to zero in a single transition (when the "large" DD-values 
change to uj). However, the reset can be easily modeled in PDA syntax by pushing a 
new bottom-of-stack symbol. Hence, f3' can be seen as an (effectively definable) PDA 
process. In l|Jancar et al. 2003^1 . the decidability proof was finished by resorting to 
the involved result by Senizergues (Seni zergues 1998| ) enabling to verify if a <~ /3'. 
(This "heavy machinery" is certainly not necessary for establishing the decidability 
of BPA ~ BPP; the reduction was used just for technical convenience.) 

3.3 Undecidability Results and Lower Complexity Bounds 

Almost all existing undecidability and hardness proofs for simulation- and bisimilarity- 
checking take advantage of the defender's ability to (indirectly) force the attacker 
to do a specific transition. In a simulation game, the defender can "threaten" the 
attacker by a possibility to go to a universal state in the way indicated in Fig. (see 
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Section f3.1.1l for further comments). A similar principle can be used also in bisimu- 
lation games. Here, the "threat" is based on a possibility to enter a bisimilar state. 
Consider processes s, t with transitions s A s', i A t', and t A t" where s' ~ t' . 
Under these assumptions, the move t A t" can be seen as the only (hopeful) option 
available to the attacker; the other options clearly lead to the defender's winning. 
This simple idea was used implicitly, e.g., in t'Jan car 1995a|l . An explicit formulation 
is due to Srba (Srb a 2003}) who used this technique to establish PSPACE-hardness 
of the BPP - BPP and BPA ~ BPA problems l|Srba 2002bllSrba 2f)02c|l . 

To demonstrate the use (and power) of the above principles, we present selected 
undecidability and hardness proofs for concrete models. In Section 13.3.11 we show 
that the problem PN « PN is highly undecidable (more concretely, £} -complete), 
and that the problem PA C sm FS is undecidable. 

3.3.1 Encodings of Minsky Machines. 

As can be expected, the undecidability results in the surveyed area have been 
obtained by reductions from the halting problem. As an example, we will recall 
the result for bisimilarity over Petri nets from IjJancar 1995b|) . This example is not 
really recent but we will expand it to show how the high undecidability result for 
weak bisimilarity from (Jancar 1995aJ) can be strengthened and made much more 
elegant using a recent technique of Srba IjSrba 2 004) . 

Minsky counter machines (with their halting problem) are a universal model 
which is technically convenient for our reduction. A counter machine M with non- 
negative counters c\ , • • • , c m is a sequence of instructions 

1 : INSi; 2:INS 2 ; ••• n-1 : INS„_i; n : halt 

where each INSi (i = 1 ; 2, • • •, n — 1) is in one of the following two forms (assuming 
1 < k, I < n, 1 < j < m) 

• Cj := Cj + 1; goto k 

• if Cj — then goto k else (cj := Cj — 1; goto /) 

Example 4 

PN - PN is undecidable. 
Proof 

Given a counter machine M. with m counters and n instructions, we construct a 
Petri net Mm with places C±, . . . , C m , Qi, . . . , Q n , Q[, . . . , Q' n . Intuitively, C\, . . . , C, 
correspond to the counters (the number of tokens in Cj represents the value of Cj ) 
and Qi, ■ ■ ■ , Q n correspond to the control places (i.e., to the instructions) — the 
presence of the "control token" in Qi means that INSi is now to be performed. 
The places Q[ , . . . , Q' n are "copies" of the control places Q\, . . . , Q n ; their purpose 
becomes clear later. The (labelled) transitions of Nm are constructed as follows. 

• For each instruction i : Cj := Cj + 1; goto k we add a transition depicted in 
Fig. El (left); an analogous transition will be also added for the "copy" places 

QI Q' k - 
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Fig. 6. Transitions of the Petri net Mm 01 Example 0] 

• For each instruction i : if c 3 ■ — then goto k else (cj :— Cj — 1; goto i) 
we add a transition depicted in Fig. (middle), together with an analogous 
transition for Q[, Q' e . We also add four transitions with label zer as depicted 
in Fig. El (right). Note that the two "middle" zer-transitions can be performed 
only when Cj is positive but leave Cj unchanged. 

• Finally, we add a transition 

Qn O — *S 

which has no counterpart for Q' n . 

Having the constructed net Mm, it is a simple exercise to verify that the marking 
with one token in Q\ and zero elsewhere is bisimilar to the marking with one token 
in Q[ and zero elsewhere iff the counter machine M. halts for the zero initial values 
in the counters (which is an undccidable problem). In particular, observe the role 
of the previously mentioned forcing — if the attacker performs a move which does 
not correspond to a faithful simulation of M. (i.e., uses a zer-transition when the 
respective Cj is nonzero), the defender can "punish" him by reaching an identical 
pair of markings (which is clearly a winning position for the defender). So, the only 
reasonable option for the attacker is to simulate the computation of the counter 
machine. The defender must mimic, and thus the attacker wins exactly when the 
machine halts. □ 

The "level of undecidability" of PN ~ PN is low; this is just a n^-complete 
problem in the arithmetical hierarchy (the negative subcase, i.e., the existence of 
a winning strategy for the attacker, is easily seen to be semidecidable) . Perhaps 
somewhat surprisingly, the problem PN ss PN turns out to be highly undecidablc. 
In IjJancar 1995afl . it was shown that the problem is beyond the arithmetical hier- 
archy, though clearly in the class £} of the analytical hierarchy. Now we show that 
PN ea PN is in fact a £]-complete problem. This is achieved by modifying the 
construction recently presented by Srba l|Srba 20f)4|> . 

A well-known Ej-complete problem is the question whether a given nondetermin- 
istic counter machine allows an infinite computation performing the first instruction 
infinitely often (the "recurrence problem"). Now we formulate another £}-complete 
problem which better suits our purposes. 

Consider "extended" Minsky machines which are defined in the same way as 
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Fig. 7. Modelling the instruction i : set Cj ; goto k in Example |5] 



"ordinary" (deterministic) Minsky machines, but the instruction set is extended by 
allowing instructions of the form 

i : set Cj ; goto k 

The instruction set Cj sets the counter Cj to a nondeterministically chosen value 
(which can be an arbitrary nonnegative integer). Hence, we have unbounded nondc- 
terminism. It is a routine programming exercise to show that the recurrence problem 
can be reduced to the problem if there is an infinite computation of our extended 
counter machine: The (bounded) nondeterminism can be easily simulated; and we 
can add a special counter step which is (programmed to be) set to an arbitrary 
value before each performing of the (original) first instruction, and is decremented 
before each other (original) instruction — if this is not possible (since step is 0), a 
jump to the halting state is performed. 

Example 5 

PN « PN is Ej-complete. 



Proof 

Let AA be an extended Minsky machine. We construct a Petri net Nm by taking the 
same sets of places and transitions as in Example 01 and adding further auxiliary 
places and transitions to handle instructions of the form i : set Cj ; goto k. The 
places [rl, r%, r£, rl, r£) and transitions which are added for a given instruction 
i : set Cj ; goto k are shown in Fig. (their role is explained in the following 
paragraphs) . 

Let us take two copies TV, N' of the constructed net A/yn, and assume that the 
control token is in Qi in TV and in Q[ in TV', and the values of counters are the same 
in both nets. If the attacker wants to avoid reaching an identical pair of markings, 
he is forced to start by the o-move from Qi in TV (he moves the control token to r[). 
The defender then has to move the control token in TV' from Q[ to r\ , via the place 

. Observe that while having the control token in 73 , the defender could perform a 
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sequence of the respective two r-transitions and thus set any chosen value to Cj (in 
TV')- Now, when the control tokens are in r{ (in A/") and in r\ (in A/ 7 ), the attacker 
is forced to make the a-move in A/"', shifting the token from r\ to Q' k (otherwise 
the defender could immediately reach an identical pair of markings). The defender 
answers by moving the token from r\ to Qk (in AT) via r 2 , where he can set Cj (in 
M) to any chosen value. (We can safely assume that the instruction k is not another 
set- instruction and thus no r- moves are possible from Qk, Q' k - The defender does 
not gain anything by leaving the token in r 2 , because the attacker could move the 
token to Qk in the next round anyway.) Now, the control tokens arc in Qk, Q' k and 
it was the defender who set values to Cj in both Af, N' . If the defender has set two 
different values, the attacker can obviously win by performing a sequence of actions 
ver. Otherwise, the correct simulation of a computation of A4 continues. 

Hence, starting with markings M of N and M' of A/ 7 , where M and M 1 has just 
a token in Q\ and Q[, respectively, it is clear that M « M' iff M. has an infinite 
computation. □ 

Reductions of the halting problem to simulation problems are usually simpler, 
because the constructed processes do not have to be "coupled" so tightly as in the 
case of bisimilarity. This is demonstrated in the last example of this subsection. 

Example 6 

PA C STO FS is undecidable. 
Proof 

Let M be a counter machine with two counters initialized to zero. We construct 
a (deterministic) PA process Z\\\Z 2 and a deterministic FS process A such that 
Zi\\Z 2 C sm A iff M does not halt. 

The rules of the underlying system of Zi\\Z 2 look as follows: 

Zj\ — ► Zi, L\ —> Oi ■ Zi, Oi — ► Oi ■ oi, Oi — > e, 

rj Zl rr rr i-1 n rr f~1 ^ f t~< n ^2 

Zj2 — ► ^2, Z-2 — > (v2 • ^2, O2 — > O2 • O2, O2 — > £ 

Hence, Z\\Zi is a parallel composition of two counters initialized to zero. The 
underlying FS system A of /i corresponds to the finite control of M. For every 
instruction of the form i : Cj := Cj+1; goto k we have a rule / 4 /j,. For every 
instruction of the form i : if c 3 ■ = then goto k else Cj := Cj—1; goto / we have 

z- d 

the rules / t — > and /, — > /;. Then we "enforce" these transitions. That is, 

• we add a new constant it together with rules u u for every action a; 

• for every /j, where i < n, and every action a: If there is no rule /j A jj for 
any then we add a rule f t A u. 

The attacker (who plays with Z\\Z<i) can choose a counter and perform one of 
the available operations on it. Since the defender "enforces" the right choice, the 
only attacker's chance is to faithfully emulate the machine Ai; if Ai halts, then the 
defender is eventually forced to enter the state /„ where he loses the game. Hence, 
Zi\\Z 2 C sm A iff M docs not halt. □ 
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3.3.2 Hardness Results. 



The use of the "enforced" transitions in hardness proofs will be demonstrated on 
two examples. We show that the problems PDA ~ FS and PDA C sm FS are 
PSPACE-hard by reducing the QBF (Quantified Boolean Formula) problem to 
each of them. Our objective is to show what has to be done differently in the two 
respective cases, i.e., how the two "enforcing" techniques are implemented for the 
same models. (Note that the problems PDA ~ FS and PDA C sm FS are in fact 
PSPACE-complete and EXPTIME-complete, respectively pCucera and Mayr 2002at ). 
For the rest of this section, let us fix a quantified Boolean formula 

(p = Vxi3x 2 ■ ■ ■ Vx n ^i3x n : C\ A • • • A G m 

where every Ci is a clause, i.e., a disjunction of possibly negated propositions from 
{34, . . . , £„}. We can safely assume that n is even. The problem whether a given 
quantified Boolean formula holds is known to be PSPACE-complete; see, e.g., 
dPapadimitriou 1994| ). 

Example 7 

PDA C sm FS is PSPACE-hard. 

Proof 

Let us consider a process gL\ Z of a PDA system with rules 

• gLi A gLi + \Xi, gLi A gLi + \Xi for all odd i such that 1 < i < n\ 

b c - 

• gLi — > gLi + iXi, gLi — > gLi + \Xi for all even i such that 1 < i < n; 

• gL n+ \ — > CjS for every 1 < j < m; 

• CjXi — > CjXi, CjXi — » CjS for all 1 < i < n and 1 < j < m such that Xi 
appears in the clause Cj ; 

• CjXi — > Cj£, C/Xj — > CjXj for all 1 < i < n and 1 < j < m such that — lar^ 
appears in the clause C, ; 

• CjZ — » Cj Z for all 1 < j < m. 

We claim that the fixed quantified Boolean formula ip holds iff gL\Z C sm /, where 
/ is a finite-state process of the following system: 



Here, the black-filled circles denote the states which enforce the actions of their 
outgoing transitions (see Section 13. f|) . Intuitively, the attacker (who plays with 
gL\Z) is responsible for choosing the assignment for variables with odd index, while 
the defender (who plays with /) chooses the assignment for variables with even index 
by forcing the attacker to do b or c in the next round. After the guessing phase, 
the attacker chooses a clause by performing one of the gL n+ i — > CjS transitions and 
starts to pop symbols from the stack, trying to find a symbol which witnesses the 
validity of the chosen clause. If no such symbol is found, the attacker eventually 
emits the action e and thus wins the game. Otherwise, he just performs an infinite 
number of <i's and hence the defender wins. □ 
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Example 8 

The problem PDA - FS is PSPACE-hard. 

Proof 

For purposes of this proof, let us assume (wlog) that ip contains a clause which is 
true for every assignment. Let gL\Z be a PDA process defined by 

• gL t A gL t+ iXt, gL t A gL l+1 X t for all 1 < i < n; 

• gL n+ i A Cje for every 1 < j < m; 

• CjX t — > pe, CjX t — ► Cje for all 1 < i < n and 1 < j < m such that Xi appears 
in the clause Cj\ 

• CjX t — > Cj£, CjXi A for all 1 < i < n and 1 < j < m such that ->Xi 
appears in the clause C, ; 

• pX l A pe, A pe for all 1 < i < n; 

• CjZ A CjZ for all 1 < j < m. 

Moreover, we also add transitions gLi A for every even i where 1 < i < 

n, and another family of transitions which ensure that every process of the form 
f l+ iLia, where 1 < i < n, is bisimilar to the state in the following finite-state 
system: 

/l a h a h a U a k a fn+1 a C c ffl d 92 d d 9n+l 

O K> *0 K2- K3 ► K3 *p K3 ► O K5 

O . *C) •<> »C) K.> ► C •<> »C) . •<.> O ►C* ' 

/i /2 fi U h U+1 c gi g 2 g n +i 

We argue that ip holds iff gL\Z ~ /i. The "ideal" scenario for bisimulation game 
between the two processes looks as follows: the assignment for variables with odd 
index is chosen by the attacker who performs an appropriate a-move in the PDA 
process; the defender has to reply by the only available a-move in the finite-state 
system. If a variable Xi with an even index is to be assigned a value, the attacker 
performs the move f A f i+1 in the finite-state system. Now we distinguish two 
possibilities. 

• the formula 3xiVx l+ i ■ ■ ■ 3x n : C\ A • • • A C m is false after substituting each 
occurrence of Xj (for all j < i) with its previously assigned value. Then, 
the defender chooses some assignment for Xi by performing an a-move in 
the PDA process, but it does not really matter which one — from this point 
on, the attacker can always choose such an assignment for variables with 
odd index so that the above given formula is false for every even i. Hence, 
the attacker can enforce the game situation when one token is on c and the 
chosen assignment falsifies some clause Cj. Then, the attacker performs the 
transition gL n+ \ A CjE and the defender has to respond by c A g 1 . Now, the 
attacker pops symbols from the stack, and since there is no symbol witnessing 
the validity of Cj, he eventually emits e and thus he wins. 

• otherwise, the defender chooses the "right" value for Xi, keeping a chance that 
the final assignment will satisfy all clauses. If the formula ip holds, he can thus 
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Fig. 8. The Decidability Border for Equivalence-Checking Problems 

enforce the game situation when one token is on c and the assignment stored 
in the PDA processes satisfies every clause Cj\ it is easy to check that the 
defender wins the game from this configuration. 

The construction ensures that the two players do not gain anything by violating the 
just specified scenario (a full justification requires a detailed analysis). For example, 
the attacker cannot use the transitions /j — > fi+\ in the finite-state system because 
the defender could go to a bisimilar PDA state. □ 

4 An Overview of Existing Results 

In this section we give a brief overview of existing decidability and complexity results 
from the area of equivalence-checking on infinite-state processes. Results about the 
related regularity problem are also presented (given a process s and a behavioral 
equivalence <->, we ask if s is "regular", i.e., equivalent to some unspecified finite- 
state process). 

The decidability border for equivalence-checking on infinite-state processes has 
already been determined for some behavioral equivalences. The left-hand part of 
Fig. [S] shows the decidability border for the problem C <-> C, where C is a subclass 
of PRS and <-> one of the <~, w, and = sm equivalences (the decidability of PA ~ 
PA, BPA w BPA, and BPP w BPP is still open; this is indicated by dashed 
circles because it is not known whether the bordering line goes above or below the 
considered class) . The right-hand side of Fig. [5] shows the decidability border for 
the C <-> FS problem. Detailed comments are split into several subsections. 

4-1 Results for (Weak) Bisimilarity 

4-1.1 Bisimilarity- Checking between Infinite- State Systems 

The first result indicating that bisimilarity is "more decidable" than trace/language 
equivalence is due to Baeten, Bergstra, and Klop l|Baeten et al. 1998(1 who estab- 
lished the decidability of bisimilarity for normed BPA processes. The proof is based 
on isolating a complex periodicity hidden in the structure of transition systems gen- 
erated by normed BPA processes. A simpler proof of this result was later given by 
Caucal in i|Caucal 1990|> . where the technique of bisimulation bases was introduced. 
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Another short proof is IjOroote 1992|l . In ( |Huttel and Stirling 1998| ), a sound and 
complete tableau-based deductive system for bisimilarity on normed BPA processes 
has been designed. The complexity of the problem was first addressed by Huynh 
and Tian (Hu ynh and Tian 1994| ) who gave a = NP NP upper bound. Later, 
Hirshfeld, Jerrum, and Moller demonstrated that the problem is decidable in poly- 
nomial time IjHirshfeld et al. 1996a|l . The decidability result has been extended to 
all (not necessarily normed) BPA processes by Christensen, Hiittel, and Stirling in 
l|Christensen et al. 1995J) . Again, it is shown that bisimilarity over all states of a 
given BPA system can be represented by a finite bisimulation base. As the decid- 
ability result is obtained by a combination of two semidecision procedures, it does 
not allow for any complexity estimations. An algorithm with elementary complexity 
was given in (Bur kart et al. 1995|l (the authors mention that some straightforward 
optimizations would lead to a doubly exponential algorithm). A technical core of 
the result is a procedure which computes a finite bisimulation base for general BPA 
processes. Recently, a PSPACE lower bound for the problem BPA ~ BPA has 
been established by Srba in IjSrba 2002cjl . The exact complexity classification is still 
missing. 

The observation that bisimilarity over processes of a given BPP system is finitely 
generated by a bisimulation base is due to Christensen, Hirshfeld, and Moller 
l|Christensen et al. 1993j) who proved the decidability of bisimilarity for BPP pro- 
cesses. A polynomial-time algorithm for normed BPP processes has been given 
in (Hirshf eld et al. 1996b|l . The complexity of the general case was addressed by 
Mayr in | |Mayr 200tiaT ) who gave a coNP-lower bound for the problem, which has 
been improved to PSPACE by Srba IjSrba 2002b|) . This result has recently been 
complemented by Jancar who gave a matching PSPACE upper complexity bound 
(| Jancar 2003jl . which means that the BPP ~ BPP problem is PSPACE-complete. 
When Jancar's algorithm is carefully implemented for normed BPP processes, it 
runs in time 0(n 3 ), as shown in (JJancar and Kot 2 0041. 

The decidability of bisimilarity between normed BPA and normed BPP processes 
was proved by Blanco IjBlanco 1995(1 and independently in l|Cerna et al. 1 999). 
Later, the result was extended to parallel compositions of normed BPA and normed 
BPP processes in (JKucera 2000a|l . Recently, the decidability of BPA ~ BPP has 
been established in IjJancar et al. 2003}) . A deep result ( Hirshfel d and Jerrum 199~9|l 
due to Hirshfeld and Jerrum says that bisimilarity is decidable for normed PA pro- 
cesses. The proof is based on the unique decomposition property of normed pro- 
cesses w.r.t. "•" and "||", and hence the method is not applicable to general PA 
processes. 

The semilinear structure of bisimilarity over one-counter processes has been iden- 
tified in (| Jancar 2000|) : it allows to conclude that bisimilarity is semidecidable (and 
thus decidable) for one-counter processes. However, the problem is computation- 
ally intractable even for one-counter nets — DP-hardness of OC-N ~ OC-N was 
demonstrated in IjKucera 2003jl (the class DP is expected to be somewhat larger 
than the union of NP and coNP). In (Senizcrgu es 1998| ), Senizergues proved that 
bisimilarity is decidable for general PDA processes. This also extends a previous 
result due to Stirling C Stirling 1998 ] which says that bisimilarity is decidable for 
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a subclass of PDA processes which can always empty their stack. Senizergues's 
proof is obtained by adapting the method which previously led to the decidability 
of language equivalence for deterministic pushdown automata (Senizergucs 2001). 
Recently, Stirling presented a primitive recursive algorithm for the same problem 
( |Stirling "20 02 ) . As for lower bounds, the PDA ~ PDA problem is known to be 
EXPTIME-hard ( |Kucera and Mayr 2002a] ). 

The undecidability of bisimilarity for Petri nets is due to Jancar (Jancar 1995b). 
In fact, the proof (see Example^} also works for PPDA processes. A related unde- 
cidability result is ( Sch noebelen 20010 where Schnoebelen proved that bisimilarity 
as well as other process equivalences are undecidable for lossy channel systems. 

As for weak bisimilarity, many problems are still open. Weak bisimilarity is known 
to be semilinear, and thus semidecidable for BPP processes (Esparza 1995]). Al- 
though the general case is still open, there is a decidability result for the subclass 
of totally normed BPP processes l|Hirshfeld 1996) (a process is totally normed if 
it can reach e in a finite sequence of transitions, but each such sequence must 
contain at least one action different from r). The best known lower bound for 
the BPP « BPP problem is PSPACE ffrha 2003j) . which is valid also for the 
normed subcase (previously, there was an NP ( Stribrna 1998) and = coNP WF 
lower bound (Mayr 2000a)). Weak bisimilarity between totally normed BPA pro- 
cesses is also decidable (Hirshfcld 1996 ). The problem BPA w BPA is known to 
be PSPACE-hard <|Stnbrna 1998|) . even in the normed subcase l|Srba 20 030 . Re- 
cently, the lower complexity bound for weak bisimilarity on normed BPA has been 
improved to EXPTIME in flMayr 2004| ). The problem PDA w PDA is already 
undecidable l|Srba 2002e|) . This result has been generalized in ( |Mayr 2003| ) where it 
is shown that even the problem OC-N w OC-N is undecidable. An incomparable 
result of l|Srba 2002djl shows that PA » PA is also undecidable l|Srba 2002d|> . Weak 
bisimilarity between Petri nets is even highly undecidable (i.e., beyond arithmeti- 
cal hierarchy) ( Jancar 1995aJ); this result has been strengthened to E}-completeness 
and achieved also for PDA and PA in \ Jancar and Srba~2 004). 

4- 1.2 Bisimilarity- Checking between an Infinite and a Finite- State System 

The problem has been considered in IjJancar and Moller 1995|) where it is shown 
that PN ~ FS is decidable. However, PN w FS is already undecidable ^Jancar and Esparza 1 996) 
The decidability of BPP rj FS was shown in ( |Mayr 1996| ). Theorem has been 
explicitly formulated in IjJancar and Kucera 1997) and (in a more abstract form) 
in IjJancar et al. 20010 where it is also shown that weak bisimilarity is decidable be- 
tween so-called PAD processes and finite-state ones (the PAD class subsumes both 
PA and PDA processes). Complexity results followed — in pCucera and Mayr~2 002c) 
it was shown that the problems BPA ps FS and nBPP w FS are solvable in poly- 
nomial time. The problem BPP w FS is in PSPACE H Jancar et al. 20010 . and 
the problem BPP ~ FS is in P l|Kot and Sawa 20040 . The problem PDA ~ FS is 
PSPACE-hard QMayr 2000b| ), and the matching upper bound for PDA w FS was 
given in jKucera and Mayr 2002a| , which means that the problems PDA ~ FS 
and PDA w FS are PSPACE-complete. Bisimilarity between one-counter pro- 
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cesses and finite-state processes was studied in ( Kuccra 2003 ) . It is shown that 
OC-N « FS is DP-hard, while OC-A ~ FS is solvable in polynomial time. 
The decidability of bisimilarity between lossy channel systems and finite-state sys- 
tems is due to (Abdull a and Kindahl 1995)) . However, this problem (and in fact all 
non-trivial problems related to formal verification of lossy channel systems) are of 
nonprimitive recursive complexity llSchnocb elen 200"2)l . 

4-.1.3 Regularity- Checking 

The decidability of regularity w.r.t. ~ for Petri nets is due to ( |Jancar and Esparza 1 996 ) . 
The regularity problem is also decidable for BPA processes IjBurkart et al. 1996|) 
and OC-A processes (|,Iancar 2000|l . For normed processes, regularity w.r.t. ~ usu- 
ally coincides with "syntactical boundedness" , i.e., the question if a given process 
can reach infinitely many syntactically distinct states. This condition can be in some 
cases checked in polynomial time; it applies, e.g., to normed PA (|Kucera 1999J) and 
normed PDA processes. There are also some lower complexity bounds — regularity- 
checking w.r.t. ~ is known to be PSPACE-hard for BPA l|Srba 2002c|l and BPP 
l|Srba 2002b|l (previously, there was coNP-lower bound for BPP jMayr 2000a| ) and 
PSPACE-lower bound for PDA ( |Mayr 2000b| )). For Petri nets, one can easily 
establish the EXPSPACE-lower bound by employing the simulation of a determi- 
nistic exponentially bounded machine due to Lipton jLipton 1976| ). The problem is 
still open for general PA and PDA processes, though it is clearly semidecidable be- 
cause bisimilarity with a (given) finite-state process is decidable for these models. 
Regularity w.r.t. « is undecidable for Petri nets ( |lancar and Esparza 1996| ) and 
EXPTIME-hard for PDA | |Mayr 2004| ); for other major models of infinite-state 
systems, the problem remains open (it is again at least semidecidable by applying 
the same argument as above). 

4-2 Results for Simulation and Trace Preorder/ Equivalence 

4-2.1 Simulation Preorder /Eguivalence 

As opposed to bisimilarity, simulation preorder/equivalence between infinite- state 
processes tends to be undecidable. Since trace preorder and simulation preorder co- 
incide over deterministic processes, the undecidability of simulation preorder/equivalence 
for BPA processes follows immediately from Friedman's result <|Friedman 1976|) 
which says that the language inclusion problem for simple grammars is undecid- 
able. As for BPP, simulation preorder/equivalence is also undecidable as shown by 
Hirshfeld (Hirshfcl d 1994|) . The only known class of infinite-state processes where 
simulation preorder/equivalence remains decidable are one-counter nets. The result 
has been achieved by Abdulla and Cerans l)Abdulla and Cerans 199s)l . A simpler 
proof was later given in l|.Tancar et al. 1999)) . where it is also shown that simulation 
preorder/equivalence for one-counter processes is already undecidable. A DP lower 
bound for the OC-N C sm OC-N and OC-N = sm OC-N problems is given in 
Uanoar et al. 20041). 
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Deciding simulation between an infinite and a finite-state system is computation- 
ally easier. The decidability of PN \Z sm FS, FS C sm PN (and thus also PN = sm 
FS) is due to l| Jancar and Moller 1995J) . Simulation between lossy channel systems 
and finite systems is also decidable (in both directions) IjAbdulla and Kindahl 1995). 
The result of IjSchnoebelen 2002)) implies that this problem is of nonprimitive re- 
cursive complexity A more general argument showing the decidability of simulation 
between processes of the so-called well-structured transition systems and finite-state 
processes has been presented in (|Abdulla et al. 1 996). 

The decidability/tractability border for the problem has been established in 
JKucera and Mayr 2002b| ). It is shown that PDA C sm FS and FS C sm PDA arc 
in EXPTIME, and that PA C sm FS and FS Q sm PA are already undecidable. 
Moreover, the following lower bounds are given: FS C sm BPA and FS C srn BPP 
are PSPACE-hard, and BPA C sm FS and BPP C sm FS (thus also for BPA = sm 
FS and BPP = STO FS) arc coNP-hard. Recently flKucera and Mayr 2002al ), the 
simulation preorder/equivalence problem between a BPA/PDA process and a finite- 
state process was shown to be EXPTIME-complete (for both directions of simu- 
lation preorder). In this case, the only difference between PDA and BPA (from the 
complexity point of view) is that simulation preorder/equivalence between PDA 
and FS is EXPTIME-complete even for a fixed finite-state process, while simu- 
lation between a BPA and any fixed finite-state process / is decidable in polyno- 
mial time ( |Kucera and Mayr 2002a| . Other tractable problems are OC-N C sm FS, 
FS Qsm OC-N, and OC-N = sm FS, which are all decidable in polynomial time 
IjKucera 2000 bjl . However, OC-A Q sm FS, FS C sm OC-A, and OC-A = sm 
FS are already DP-hard (Kucera 2000b. Janc ar et al. 20 04). As for regularity- 
checking w.r.t. = sm , the problem is known to be decidable for OC-N processes 
l| Jancar et al. 20 00). and undecidable for Petri nets IjJancar and Moller 1995|l and 
PA processes QKucera and Mayr 2002b| ). 



4-2.2 Trace Preorder /Equivalence 

Since trace preorder/ equivalence are closely related to language inclusion/equivalence 
of automata theory ( |Hopcroft and Ullman 1979| ), all (un)decidability results about 
BPA and PDA processes follow easily from the "classical" ones. It means that al- 
most all problems are undecidable; the only notable exception is the PDA C. tr FS 
problem which is decidable. The undecidability of trace preorder/equivalence be- 
tween BPP processes is due to IHirshfeld 1994J . 

Trace preorder/equivalence with a finite-state system is undecidable for BPA and 
PDA, but decidable for Petri nets; PN C tr FS and FS Q tr PN are decidable as 
shown in l| Jancar and Moller 1995|) . In the same paper it is shown that regularity 
w.r.t. =tr is undecidable for Petri nets. 
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